Security Hub FAQs

How product risk levels are being calculated?

For products that were discovered through OAuth, Spendflo shows the OAuth risk level associated with each product. Those risk levels can be viewed from the product inventory page.

What is OAuth 2.0 Scopes?

OAuth 2.0 uses scopes as a mechanism to limit a product's access to a user's account. A product can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the product will be limited to the scopes granted.

What are Spendflo Access Risk Levels?

The risk levels are determined according to the OAuth scopes that the users have granted to the product to their Google Workspace (G-Suite) or Microsoft (Azure-AD).

• High: Apps with modify access
• Medium: Apps with read-only access to sensitive data
• Low: Apps with read-only access to non-sensitive data

Why don't I see an Access Risk for a product?

Spendflo detects products from different sources, for example: 

• Single Sign On to products through your Identity Provider (Google, Okta, Azure etc) 
• Spend data from a finance or expense system 
• Manually entered product 

Access Risk only applies to products detected from your Identity Provider, and only to a very specific form of Single Sign On called "OpenID Connect". OpenID Connect is most commonly seen as "Sign in with Google" buttons on some products, although it's also available on some apps for Microsoft 365. 

If a user is connecting to an product without using a "Sign in with Google" button, then they're likely connecting using SAML2 Single Sign On which doesn't represent any access risk. 

Finally, if someone did log in with OpenID Connect, but a very long time ago, then the so-called "access token" that lets the products interact with your Identity Provider might have expired. Since this no longer represents an active risk, the access risk will not be shown for that user against an product.